Security Notions for Identity Based Encryption

Security Notions for Identity Based Encryption

David Galindo and Ichiro Hasuo

Institute for Computing and Information Sciences Radboud University Nijmegen

P.O.Box 9010, 6500 GL Nijmegen, The Netherlands {d.galindo,ichiro}@cs.ru.nl

Abstract. Identity Based Encryption (IBE) has attracted a lot of attention since the publica-tion of the scheme by Boneh and Franklin. So far, only indistinguishability based security nopublica-tions have been considered in the literature, and it has not been investigated whether these definitions are appropriate. For this purpose, we define the goals of semantic security and non-malleability for IBE. We then compare the security notions resulting from combining those goals with the attacks previously considered in the literature (full and selective-identity attacks), providing ei-ther an implication or a separation. Remarkably, we show that the strongest security levels with respect to selective-identity attacks (i.e. chosen-ciphertext security) do not imply the weakest full-identity security level (i.e. one-wayness). With the aim of comprehensiveness, notions of se-curity for IBE in the context of encryption of multiple messages and/or to multiple receivers are finally presented, as well as their relationship with the standard IBE security notion. The results obtained substantiate indistinguishability against full-identity chosen ciphertext attacks as the appropriate security notion for IBE.

Keywords:foundations, identity-based encryption, one-wayness, indistinguishability, non-malleability, semantic security, selective-identity attacks, full-identity attacks, implications and separations.

1 Introduction

The concept of Identity Based Encryption (IBE) was proposed by Shamir in [Sha85], aimed at simplifying certificate management in e-mail related systems. The idea is that an arbitrary string such as an e-mail address or a telephone number could serve as a public key for an encryption scheme. Once a userU receives a communication encrypted using its identityidU,

the user authenticates itself to a Key Generation Center (KGC) from which it obtains the corresponding private keydU.

The problem was not satisfactorily solved until the work by Boneh and Franklin [BF03]. They proposed formal security notions for IBE systems and designed a secure IBE scheme. Since then, IBE has attracted a lot of attention, and a large number of IBE schemes and re-lated systems (such as [Gen03,AP03]) have been proposed. So far, only the indistinguishability based security notions proposed in [BF03], as well as the variations obtained from [CHK03], have been considered in the literature, and it has not been investigated whether these defi-nitions are appropriate. To better understand what does mean the “appropriateness” of an encryption security notion it is worthwhile to remind how the standard security notion for Public Key Encryption (PKE) was adopted.

adversary to learn any information about the plaintextm hidden in a challenge ciphertextc, while indistinguishability is a technical goal, aimed at capturing a strong form of privacy and being easier to work and reason with than semantic security. Non-malleability formalizes that an adversary can not build up a ciphertextc′ 6=cwhose decryption is meaningfully related to

m. This notion models the tamper-proofness of a scheme. Regarding attacks,chosen-plaintext attacks (CPA) [GM84] and chosen-ciphertext attacks (CCA) [RS92] are the most well-known models. UnderCPAthe adversary is given the public key of the scheme, and thus can encrypt messages on its own, while in CCA the adversary gets in addition access to a decryption oracle, to which it can submit any ciphertext of its choice except for the challenge ciphertext

c. Combining these goals and attacks one obtains six security notions: IND-CPA, IND-CCA, SS-CPA, SS-CCA, NM-CPA, NM-CCA.

The equivalence betweenIND-CPAand SS-CPA was studied in [GM84], and the relations betweenIND and NM under any form of attack were presented in [BDPR98]. In particular, they showed that NM implies IND under any attack form considered there, but that the opposite direction only holds for theCCAcase. For this reason,IND-CCA was considered the right notion of security for general purpose PKE. However, in [BDPR98] was emphasized that a definition forSS-CCA had not been proposed yet, and thus was not known ifIND-CCA and SS-CCA were actually equivalent notions. Despite this fact, it became “cryptographic folklore” that those notions were equivalent, and this equivalence was even explicitly used in the literature, for instance in [SJ00,KI01,DT03]. Finally, it was not until [WSI02,GLN02] that anSS-CCA definition was given and proved to be equivalent toIND-CCA.

State of the art on IBE security notions.The first IBE security notions were proposed in [BF03]. These new notions were inspired on the existing PKE definitions, with the novelties that the adversary, regardless of the attack model, is given access to an extraction oracle, which on input an identity id ∈ {0,1}∗ _{outputs the corresponding private key. Moreover,} the adversary selects the identity idch on which it wants to be challenged, so that now the challenge consists of a pair (idch, c), where c denotes a ciphertext encrypted under identity idch. In [BF03] the adversary is allowed to adaptively selectidch, probably depending on the information received so far (such as decryption keys), while in [CHK03] the adversary must commit ahead of time to the challenge identity. The latter model is referred to as selective-identityattacks (sID), while the original model is calledfull-identityattacks (ID). With respect to IBE goals, only one-wayness and indistinguishability [BF03] have been defined so far. Thus, the security definitions mostly considered up to now in the literature are:ID-CPA, IND-sID-CPA,IND-ID-CCA,IND-sID-CCA.

Currently,IND-ID-CCA is thought to be the right security notion for IBE. However, there is no work, in the sense of [BDPR98], aiming at establishing the strength of this security notion, and it also lacks to relate the full-identity and the (purportedly) weaker selective-identity models. Moreover, although no definition for semantic security in the context of IBE encryption has been given to the best of our knowledge, in the original work by Boneh and Franklin the security notionsIND-ID-CPA, (IND-ID-CCA) are presented as equivalent to SS-ID-CPA, (SS-ID-CCA).

With respect to the relation between selective and full-identity attacks, we show in Section 4 that the strongest security levels with respect tosIDattacks (i.e. chosen-ciphertext security) do not even imply the weakest ID security level (i.e. one-wayness). It turns out then that selective-identity security is a strictly weaker security requirement than full-identity security. Notwithstanding,sIDsecurity suffices for other purposes, for instance for building IND-CCA PKE schemes [CHK04], and there exists an efficient generic transformation in the Random Oracle Model [BR93] from sID security to ID security [BB04a]. There are several efficient schemes in the literature meeting full-identity security in the Random Oracle Model [BR93], such as [BF03,BB04a,LQ05,Gal05,CC05]. Currently, only the works [BB04a,BB04b,Wat05] show schemes with ID security in the standard model.

In Section 5, we compare the full-identity security notions resulting from our work, pro-viding either an implication or a separation. Our results are summarized in Table 1. As in [BDPR98], this diagram must be seen as a directed graph. An arrow is an implication, and there is path betweenAandBif and only if the security notionAimplies the security notion B. A hatched arrow represents a separation which is proved in this paper. Dotted arrows refer to trivial implications. For each pair of notions we obtain an implication or a separation, which is either explicitly found in the diagram or deduced from it. For instance, it turns out that IND-ID-CPA does not imply IND-ID-CCA. Otherwise, following the arrows in the dia-gram, there would be a path between IND-ID-CPA and NM-ID-CPA, which is impossible due to Theorem 11. As a particular case, we show thatSS-ID-CCAandIND-ID-CCAare equivalent under our definition, thus proving the intuition stated in [BF03]. Recently it has come to our attention that in an independent work, [ACH+_{05] shows similar results to those we present}

in this section.

SS-mID-CCA

multiple-challenge CCA security

SS-mID-mCCA SS-ID-mCCA

OW-ID-CCA × SS-ID-CCA IND-ID-CCA NM-ID-CCA

OW-ID-CPA × SS-ID-CPA IND-ID-CPA × NM-ID-CPA

×

8 > > <

> > :

NM IND SS OW

9 > > =

> > ;

-sID-

CCA CPA ff

×

selective-identity security

Table 1.Relations among security notions

the same plaintext under different identities)1;multiple-plaintext (ID-mCCA) attacks (the ad-versary chooses one fixed identity, and can adaptively query encryption of different plaintexts under that identity) and multiple-identity-plaintext attacks (mID-mCCA) (the adversary can adaptively query encryption of different plaintexts under different identities ). It is shown that any IND-ID-CCAscheme also meets those stronger security levels.

The proof techniques used throughout the paper are indebted to the techniques used in [BDPR98] and [GLN02]. Still, the fact that PKE and IBE are essentially different crypto-graphic primitives, makes some subtleties to appear, which demand to be carefully examined. For instance, a strong separation such as the one we present between sIDand ID security, is not known for PKE security notions. As a general conclusion, the broad body of evidences pre-sented in this work confirm indistinguishability against full-identity chosen-ciphertext attacks as the appropriate security notion for IBE.

2 Preliminaries

We start by fixing some notation and recalling basic concepts.

Algorithmic notation. Assigning a value a to a variable x will be in general denoted by

x ←a. If A is a non-empty set, thenx←A denotes that x has been uniformly chosen inA. If D is a probability distribution over A, then x ← D means that x has been chosen in A

by sampling the distribution D. Finally, if Ais an algorithm,x← Ameans thatA has been executed on some specified input and its output has been assigned to the variable x.

Negligible functions. The class of negligible functions on a parameter ℓ ∈ Z+_{, denoted}

as negl(ℓ), is the set of the functions ǫ : Z+ _→ R+ _{such that, for any polynomial p ∈} R_[ℓ],

there exist M ∈ R+ _{such that ǫ(ℓ) <} M

p(ℓ) for all ℓ ∈ Z+. Let poly(ℓ) the class of functions p:Z+_→ R+ _{upper bounded in}Z+ _{by some polynomial in} R_{[ℓ]. Hereafter, U(ℓ) denotes the}

uniform distribution on {0,1}ℓ_.

Set sequences.As usual,{0,1}⋆and{0,1}ℓwill respectively denote the set of all finite binary strings and the set of binary strings with lengthℓ. Ifm∈ {0,1}⋆_{,then|m|denotes its length.}

A string set sequence, M= {Mℓ}ℓ∈Z+, is a polynomial size set (hereafter simply named as set) if there exist an integer valued function pM(ℓ)∈poly(ℓ) such that Mℓ⊆ {0,1}pM(ℓ) for

allℓ∈Z+_{. The cardinality of a set sequenceA(as a function of ℓ) will be denoted by |A|.}

Miscellaneous notations.We denote a sequence of bit strings by−→− symbol. For example, the notation−→m ←D(mk,idch,−→c) means that−→m is the sequence of the results when we apply the algorithmD(mk,idch,−) to each component of−→c. The bitwise complement of a bit string

xis denoted byx.

Identity based encryption (IBE). An IBE scheme is specified by four probabilistic poly-nomial time (PPT) algorithms:

Setup (S) takes a security parameter 1ℓ_{and returns the system parameterspmsand}

master-key mk. The parameters pms include includes the security parameter 1ℓ_{; the description}

of setsID,M,C, which denote the set of identities, messages and ciphertexts respectively. pmsis publicly available, while the mkis kept secret by the KGC.

Extract (X) takes as inputs pms, mk and id ∈ IDℓ; it outputs the private key did corre-sponding to the identityid.

Encrypt (E takes as inputspms, an identityid∈ IDℓ and m∈ Mℓ.It returns a ciphertext c∈ Cℓ.

Decrypt (D) takes as inputs pms, a private key did and c ∈ Cℓ, and it returns m ∈ Mℓ or

reject when cis not a legitimate ciphertext. For the sake of consistency, these algorithms must satisfy that for all id∈ IDℓ, m∈ Mℓ,

D(pms, did, c) =m, where c=E(pms,id, m) and did=X(pms,mk,id)

2.1 Attacks models for identity based encryption

The attack models mostly used for IBE in the literature can be classified by combining the following items:

– The adversary is given/not-given to access a decryption oracle;

– The adversary can adaptively select the identity it wants to attack or it is forced to commit ahead of time to the identity under attack,

which results then in 4 different attacks models. Regardless of the attack model under con-sideration, the adversary is supposed to have access to an extraction oracle, which on input an identity id it outputs the corresponding decryption key did. The decryption oracle, on inputs an identity id and a ciphertext c, it outputs D(pms, did, c). The adversary can query these oracles polynomially many times and in an adaptive manner [BF03]. There is no need to include in the attack model an encryption oracle, since in an IBE scheme the adversary is able to simulate this oracle after knowing the public parameters pms of the scheme. The attack models under consideration are referred to assID-CPA,ID-CPA,sID-CCA,ID-CCA.

2.2 One-wayness - OW

In the following, one-wayness security definitions for IBE are presented. As far as we know, only one-wayness against full-identity chosen-plaintext attacks (referred to as OW-ID-CPA in the following definition) has been previously considered in the literature. Following the notation in [BDPR98],Oi =εmeansOi is the function which returns the empty stringεon

any input.

Definition 1 (OW-{ID, sID}-{CCA, CPA}) Let Π= (S, X, E, D) be an IBE scheme, and let

A = (A0,A1,A2) be any 3-tuple of PPT oracle algorithms. For ATK = sID-CPA,ID-CPA,

sID-CCA,ID-CCA,we sayΠ isOW-ATKsecure if for any 3-tuple of PPT oracle algorithmsA

Pr 2

6 6 6 6 6 4

m′=m

˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛ ˛

(id, γ)← A0(1ℓ)

(pms,mk)←S(1ℓ_);

(idch, σ)← AO1,O2

1 (pms,id, γ)

m←P(Upoly(ℓ)); c←E(pms,idch, m);

m′

← AO₂ 1,O2`

σ,(idch, c)´

3

7 7 7 7 7 5

∈negl(ℓ),

and

If ATK=sID-CPA then O1(·) =X(pms,mk,·), O2(·) =ε and idch :=id If ATK=ID-CPA then O1(·) =X(pms,mk,·), O2(·) =ε

If ATK=sID-CCAthen O1(·) =X(pms,mk,·), O2(·) =D(pms,mk,·) and idch :=id

In the above expression σ and γ denote some state information. By giving mk as input to the decryption algorithm D we mean that it can decrypt ciphertexts related to any identity. Additional requirements are that neitherA1 nor A2 are allowed to queryO1 on the challenge

identity idch, and A2 can not query O2 on the challenge pair (idch, c). These queries may be asked adaptively, that is, each query may depend on the answers obtained to the previous queries.

2.3 Indistinguishability - IND

In the following we recall the indistinguishability security notions obtained from the attacks previously considered in the literature.

Definition 2 (IND-{ID, sID}-{CCA, CPA}) Let Π= (S, X, E, D) be an IBE scheme, and let

A = (A0,A1,A2) be any 3-tuple of PPT oracle algorithms. For ATK = sID-CPA,ID-CPA,

sID-CCA,ID-CCA, we say Π is IND-ATK secure if for any 3-tuple of PPT oracle algorithms

A,

p

(1) ℓ −p

(2) ℓ

∈negl(ℓ), where

p(i)_ℓ = Pr



     

v= 1

(id, γ)← A0(1ℓ)

(pms,mk)←S(1ℓ);

((m(1), m(2),idch), σ)← A₁O1,O2(pms,id, γ)

c←E(pms,idch, m(i));

v← AO₂ 1,O2(σ,(idch, c))



     

In the last expression, the oracles O1,O2 as well as the access to them are as in Definition

1. Additionally, m(1) and m(2) are required to have the same length; neither A1 nor A2 are

allowed to query O1 on the challenge identityidch, and A2 can not queryO2 on the challenge

pair (idch, c). These queries may be asked adaptively, that is, each query may depend on the answers obtained to the previous queries.

3 Semantic Security and Non-Malleability for Identity Based Encryption

In this section, semantic security as well as non-malleability for IBE schemes are defined for the first time to the best of our knowledge. These definitions are obtained by adapting the definitions of semantic security [GM84,GLN02] and non-malleability [BDPR98,BS99] for PKE to the attack scenario proposed in [BF03].

3.1 Semantic Security - SS

In the following we rephrase the definitions in [GLN02] for the IBE setting. In our scenario, a CPAattacker is given access to one oracle for extraction of private keys, while aCCAadversary is additionally given access to a decryption oracle. The attack is broken in two stages:

input bits that equals the number of output bits inP. The idea is thatP specifies a prob-ability space on plaintexts, whileLspecifies partial information (i.e., “information leak”) regarding the plaintext that is given to the adversary, andF specifies partial information (regarding the plaintext) that the adversary claims to be able to learn.

Stage 2: In the second stage the adversary is given an encryptioncof a plaintextmunder an identityidch along withL(m), wheremis selected according to P and the adversary does not know the decryption key foridch. BothCPA and CCAadversaries are not allowed to query the extraction oracle onidch, while theCCAadversary can not query the decryption oracle on the pair (idch, c).

Roughly speaking, an IBE scheme is said to be semantically secure under CPA (respec-tively CCA) if for every efficient CPA (respectively CCA) attacker as above, there exists a corresponding benign adversary that “performs as well” without seeing the ciphertexts. Con-cretely, the benign adversary is not given any oracle access, it produces a challenge template (P, L, F) and is supposed to guess F(m) given L(m). Additional requirements are that the benign adversary is supposed to produce (P, L, F) according to the same distribution as the real adversary, and to be as successful as the real adversary in guessingF(m).

Note that the benign adversary models an ideal situation in which it produces the same challenge template as the real adversary, but it is given a “perfectly secure encryption” of the plaintextm, that is, it is given nothing [Gol93].

Definition 3 (SS-{ID, sID}-{CCA, CPA}) Let Π = (S, X, E, D) be an IBE scheme, and let B = (B0,B1,B2) be a 3-tuple of PPT oracle algorithms. For ATK = sID-CPA,ID-CPA,

sID-CCA,ID-CCA, we say Π is SS-ATK secure if for any 3-tuple of PPT oracle algorithms B

there exists a 3-tuple of PPT algorithms B′ = (B′₀,B₁′,B₂′), such that the following conditions hold:

Pr



       

v=F(m)

(id, γ)← B0(1ℓ);

(pms,mk)←S(1ℓ_);

(P,idch, L, F), σ

← BO₁ 1,O2(pms,id, γ) (c, β)← E(pms,idch, m), L(m)

, where

m←P(U_poly(ℓ));

v← B₂O1,O2 σ,(idch, c), β



       

<Pr



v=F(m)

(P, L, F), σ′

← B₁′(1ℓ_); m←P(U_poly(ℓ));

v← B′₂ σ′, L(m) 

+ε(ℓ),

where ε(ℓ) ∈ negl(ℓ), and for every ℓ the (P, L, F) part in the random variables B₁′(1ℓ₎

and B₁O1,O2(pms,id) are identically distributed. The oracles O1,O2 as well as the access to

them are as in Definition 1. Additionally, neither B1 nor B2 are allowed to query O1 on the

challenge identityidch, and B2 can not queryO2 on the challenge pair(idch, c).These queries

may be asked adaptively.

3.2 Non-malleability - NM

new definition was simpler since it did not use simulators. Intuitively, an encryption scheme is non-malleable if, given a ciphertext, the adversary cannot conjure up another ciphertext whose decryption is meaningfully related to the decryption of the given one. This notion models the tamper-proofness of a scheme.

In this paper non-malleability is defined without using simulators, adapting the definition for public-key schemes in [BDPR98] to the IBE framework. After receiving a challenge pair (idch, c),the aim of the adversary is to output the description of a relationR and a vector of ciphertexts −→c (no component of which is the challenge ciphertext c) such that the relation

R(m,−→m) holds, where −→m ← D(mk,idch,−→c) and m is the plaintext hidden in the challenge ciphertext. The adversary is successful if it can do this with probability significantly greater than that with which R(m0,−→m) holds for some randomm0 of the same length as m. In the

following the notationD(mk,idch, c) =⊥means thatc is not a legitimate ciphertext,

Definition 4 (NM-{ID, sID}-{CCA, CPA}) Let Π = (S, X, E, D) be an IBE scheme, and let C = (C0,C1,C2) be any 3-tuple of PPT oracle algorithms. For ATK = sID-CPA,ID-CPA,

sID-CCA,ID-CCA, we say Π is NM-ATK secure if for any 3-tuple of PPT oracle algorithms

C, the advantage

Pr



     

v= 1

(id, γ)← C0(1ℓ); (pms,mk)←S(1ℓ);

(P,idch, σ)← C₁O1,O2(pms,id, γ);

m←P(Upoly(ℓ)); c←E(pms,idch, m);

(R,−→c)← C₂O1,O2(σ,(idch, c)); −→m ←D(mk,idch,−→c);

if c6∈ −→c ∧ ⊥ 6∈ −→m∧R(m,−→m) then v←1 else v←0;



     

−Pr



     

v= 1

(id, γ)← C0(1ℓ); (pms,mk)←S(1ℓ);

(P,idch, σ)← C1O1,O2(pms,id, γ); m, m0←P(Upoly(ℓ)); c←E(pms,idch, m); (R,−→c)← C₂O1,O2(σ,(idch, c)); −→m ←D(mk,idch,−→c);

if c6∈ −→c ∧ ⊥ 6∈ −→m∧R(m0,−→m) then v←1 else v←0;



     

is negligible as a function onℓ. In the last expression, the oraclesO1,O2 as well as the access

to them is defined as in Definition 1, andP specifies a probability space onMℓ. Additionally,

neitherC1 norC2 are allowed to queryO1 on the challenge identityidch, andC2 can not query O2 on the challenge pair (idch, c). These queries may be asked adaptively.

Remark 1. The security notions described here and in the previous section can be easily de-fined in the Random Oracle Model [BR93], where all parties have access to a random function

Hfrom strings to strings. The definitions are modified by including in the experiments defin-ing the advantage an initial step, in which some random functions H are chosen from the set of all functions from some appropriate domain to appropriate range. ThenH-oracles are provided to the algorithms and they may depend on H. It is easily verified that all of the implications and separations provided in this work also hold in the Random Oracle Model.

4 A separation between selective-identity and full-identity security

notions

goal-sID-CCA does not imply OW-ID-CPA, that is, the strongest selective-identity security levels are strictly weaker than the weakest full-identity security level.

Theorem 5 For any goal ∈ {IND, SS, NM}, goal-sID-CCA does not implyOW-ID-CPA.

Proof: Assume that there exists an IBE scheme Π = (S, X, E, D) which is goal-sID-CCA secure for some goal ∈ {IND, SS, NM} (otherwise the claim is trivially true). We construct another IBE scheme Π′ _{= (S}′_{, X}′_{, E}′_{, D}′_{) which is goal-sID-CCA but notOW-ID-CPA, whose} existence proves the theorem. The scheme Π′ is defined as follows:

S′

(1ℓ_{) X}′

(pms′

,mk′

,id) E′

(pms′

,id, m) D′

(pms′

, did, C)

(pms,mk)←S(1ℓ_);

return return return

id+← IDℓ; X(pms,mk,id); E(pms,id, m) D(pms, did, C)

d+_{←X(pms,mk,id}+_); pms′←(pms,id+, d+); return `pms′

,mk´

It is trivial to check thatΠ′qualifies as an IBE scheme ifΠdoes. From the definition ofΠ′and the definition of sIDattacks2_{, it also holds that ID}′ _=ID:=

IDℓ _ℓ∈Z+ =

{0,1}p(ℓ) ℓ∈Z+ for a certain p(ℓ) ∈ poly(ℓ). Π′ is not OW-ID-CPAdue to the following successful adversary

A= (A0,A1,A2):

Algorithm AO1′,O′2

1 (pms

′

)

idch←id+; σ←(d+,pms);

m(1), m(2)← Mℓ, s.t.|m(1)|=|m(2)|;

return `

(m(1), m(2),idch), σ´

Algorithm AO′1,O′2

2 `

σ,idch, c´

return D(pms, d+, c)

A simple calculation shows that theOW-ID-CPAadvantage of the adversaryA= (A0,A1,A2)

is 1. The basic idea is thatA1knows the decryption key related toid+once it getspms′. Then

it setsidch :=id+, it qualifies as a OW-ID-CCAadversary (A1 did not queryid+ to its oracle O′

1) and finally it can decrypt any ciphertext related to the challenge identity, thus effectively

breaking the one-wayness of Π′. It remains to show that the new scheme Π′ is secure in the sense of goal-sID-CCA. We argue by contradiction: if we have a successful goal-sID-CCA attacker C = (C0,C1,C2) for this new scheme, then from that we can construct a successful

goal-sID-CCA B = (B0,B1,B2) attacker for the original scheme Π. The details are given in

Appendix??. ⊓⊔

Notice that in the previous proof, the algorithmA0 was not specified, since it is useless in

full-identity attack scenarios. In the following we will focus on full-identity scenarios, so the algorithm with subscript 0 in every adversary tuple is dropped for the sake of simplicity.

5 Relations between full-identity security notions

In this section implications and separations for one-wayness, indistinguishability, semantic security and non-malleability for full-identity chosen-plaintext and chosen-ciphertext attacks are presented.

Theorem 6 OW-ATKdoes not imply IND-ATK, for ATK = ID-CPA, ID-CCA.

Proof: This proof is straightforward, and the reader is referred to the final version of the

paper. ⊓⊔

Theorem 7 IND-ATK entails SS-ATK, for ATK = ID-CPA, ID-CCA.

Proof: We present the proof for the ID-CCA case. The modification for the ID-CPA case is easy by dropping the access to decryption oracle.

Given an SS-ID-CCA adversary (B1,B2), we construct its benign simulator (B1′,B2′) as

follows. The algorithm B₂′ simulates B2 by feeding the encryption of “fake plaintext” 1|m|

instead of a real plaintext m ←P(Upoly(ℓ)): since the scheme is IND-ID-CCA this should not

affect the advantage.

Algorithm B₁′(1ℓ₎

(pms,mk)←S(1ℓ_{); (P,idch, L, F), σ}

← B₁O1,O2(pms);

n←(the number of output bits inP);

return (P, L, F), σ,pms,mk,idch,1n)

Algorithm B′₂ (σ,pms,mk,idch,1n), β

v← B₂O1,O2(σ,(idch,(E(pms,idch,1n), β)) ;

return v

It is obvious that the (P, L, F) part of the output ofB1 andB1′ are identically distributed.

We shall show that the simulator thus defined is as successful as the actual adversary. The advantage of the simulator (B₁′,B₂′) is evaluated as follows.

Pr



   

v=F(m)

(pms,mk)←S(1ℓ_);

(P,idch, L, F), σ

← BXmk, Dmk

1 (pms); m←P(Upoly(ℓ));

v← BXmk, Dmk

2 (σ,idch, E(pms,idch,1|m|), L(m)

)



   

(1)

This probability is the same as the advantage of the original adversary (B1,B2), except

thatB2 is given the encryption of 1|m|instead ofm.

Claim 1 The two ensembles Vℓ=

σ,idch,(E(pms,idch,1|m|_{), L(m)), F(m)}

Exp

, Wℓ=

σ,idch,(E(pms,idch, m), L(m)), F(m) Exp

, under the following experiment

Experiment Exp

(pms,mk)←S(1ℓ); m←P(Upoly(ℓ)); (P,idch, L, F), σ

← BX₁ mk, Dmk(pms);

cannot be distinguished by any PPT algorithm TXmk, Dmk _{σ,idch,(α, β), γ which is not} al-lowed to query Xmk(idch) nor Dmk(idch, α).

It suffices to show Claim 1: if it is true, in particular the followingT does not distinguish

Vℓ and Wℓ.

Algorithm TO1,O2 _σ,id

ch,(α, β), γ

v← AO1,O2

2 (σ,idch,(α, β)); if v=γ then d←1 else d←0;

Hence the advantage of the simulator and that of the actual adversary are indistinguishable. This proves the theorem.

Claim 1 is proved by contradiction, using indistinguishability. Assume a successful distin-guisher T of Vℓ andWℓ exists. Then we can construct a successfulIND-ID-CCA distinguisher

(A1,A2).

Algorithm AO1,O2

1 (pms)

(P,idch, L, F), σ

← BO1,O2

1 (pms); m←P(U_poly(ℓ));

return (1|m|, m,idch),(σ, L, F, m)

Algorithm AO1,O2

2 (σ, L, F, m),(idch, α)

v← TO1,O2_{(σ,idch,(α, L(m)), F(m));}

return v

(A1,A2) does not make those oracle queries an IND-ID-CCA distinguisher is prohibited to

make, because B1 orT does not.

For probabilities p(1)_ℓ , p(2)_ℓ in the definition of IND-ID-CCA, the following equations are straightforward.

p(1)_ℓ =PrhTXmk, Dmk_(V

ℓ) = 1

i

p(2)_ℓ =PrhTXmk, Dmk_(W

ℓ) = 1

i

Therefore the success of T implies the success of (A1,A2), which is a contradiction. ⊓⊔

Theorem 8 SS-ATK entails IND-ATK, for ATK = ID-CPA, ID-CCA.

Proof: The proof is presented for ATK=ID-CCA. The modification for ID-CPA case is easy. We argue by contradiction. Assume that an IBE scheme (S, X, E, D) has a successful IND-ID-CCAdistinguisher (A1,A2). We shall construct anSS-ID-CCAadversary whose advantage

is distinguishably larger than that of any benign simulator. The construction is rather obvious: the first part of the adversary outputs a challenge template (P,idch, L, F) such that

– P chooses one out of m(1) and m(2), the two challenge plaintexts A1 outputs, with the

uniform probability;

– L outputs the constant value so that the benign simulator cannot gain any information about the plaintext;

– F(m(1)) = 1 and F(m(2)) = 0.

However in the formal proof some subtle details need careful consideration, which can be found below.

We can assume without loss of generality that A2 always outputs either 0 or 1. If it is

not the case we define a new oracle PPTA′₂ which invokes A2 and outputs 1 ifB2 outputs

1, and outputs 0 otherwise: obviously the pair (A1,A′2) is again a successful distinguisher.

We can also assume, from the success of IND-ID-CCA distinguisher (A1,A2), that for some

polynomialq and infinitely many ℓ’s the following holds: p(1)_ℓ −p(2)_ℓ ≥ _q(ℓ)1 .Note that we no longer take the absolute value.

Additionally, for the technical reason, we assume that the algorithm A1 always outputs

(A′₁,A′₂) as follows.

Algorithm A′O1,O2

1 (pms)

(m(1)_{, m}(2)_,id

ch), σ

← AO1,O2

1 (pms);

if m(1)_6=m(2) _{then d←0 else d←1;}

if d= 0 then m′ _←m(2) _{else m}′_←m(1)_;

return (m(1)_{, m}′_,id

ch),(σ, d)

Algorithm A′O1,O2

2 (σ, d),(idch, c)

if d= 0 then v← AO1,O2

2 (σ,(idch, c)) else v ←U1;

return v

Obviously the advantage of (A′

1,A′2) is identical to that of (A1,A2), and A′1 is ensured to

output distinct challenge plaintexts,

Using the distinguisher we construct anSS-ID-CCA adversary (B1,B2) as follows.

Algorithm BO1,O2

1 (pms)

(m(1), m(2),idch), σ

← AO1,O2

1 (pms); n←

m(1) ;

P ←a circuit with one input bit such that P(0) =m(1) and P(1) =m(2);

L←a circuit withn input bits, which outputs constantly 0;

F ←a circuit which outputs 1 for input m(1)_{, 0 for the other inputs;}

return (P,idch, L, F), σ

Algorithm BO1,O2

2 (σ,idch,(α, β))

v← AO1,O2

2 (σ,(idch, α));

return v

Note that, by our assumption thatm(1) 6=m(2)in the output ofA1, for an output (P,idch, L, F), σ

of B1 we always have F(P(0)) =F(m(1)) = 1 and F(P(1)) =F(m(2)) = 0. (B1,B2) does not

make prohibited oracle queries because (A1,A2) does not.

Let us denote the following experiments by Exp(i) for i = 1,2, where i denotes which plaintext is chosen.

Experiment Exp(i)

(pms,mk)←S(1ℓ_{); ((m}(1)_{, m}(2)_,id

ch), σ)← AX1 mk, Dmk(pms); c←E(pms,idch, m(i)); v← AX2 mk, Dmk(σ,(idch, c));

Obviously p(i)_ℓ (as in the definition of IND-ID-CCA) is equal toPr[v= 1|Exp(i)]. Now the advantage of the above adversary (B1,B2) for givenℓis calculated as follows.

Pr     

v=F(m)

(pms,mk)←S(1ℓ);

((P,idch, L, F), σ)← B₁Xmk, Dmk(pms);

m←P(Upoly(ℓ)); v← BXmk, Dmk

2 (σ,idch,(E(pms,idch, m), L(m)))

     (†) = 1 2 Pr h

v= 1

Exp

(1)i₊1

2 Pr

h

v= 0

Exp

(2)i

(‡)

= 1 2 Pr

h

v= 1

Exp

(1)i₊1

2

1−Prhv= 1

Exp

(2)i₌ 1

2+ 1 2 p

(1) ℓ −p

(2) ℓ

Here (†) holds because m(1) 6=m(2), and (‡) holds because B2 always outputs either 0 or 1.

By assumption, the last quantity is distinguishably larger than 1/2, as a function onℓ. Let (B′₁,B′₂) be an arbitrary benign simulator of (B1,B2). Its advantage is evaluated as

follows, using the fact that the (P, L, F) part in the outputs of B1 and B1′ are identically

distributed.

Pr



v=F(m)

((P, L, F), σ′_{)← B}′

1(1ℓ); m←P(Upoly(ℓ)); v← B′

2(σ′, L(m))





= 1 2Pr



v= 1

(P, L, F), σ′

← B′₁(1ℓ);

m←P(0);

v← B′

2(σ′,0)



+

1 2Pr



v= 0

(P, L, F), σ′

← B₁′(1ℓ);

m←P(1);

v← B′

2(σ′,0)





≤ 1

2Pr

v= 1

(P, L, F), σ′

← B′

1(1ℓ); v ← B₂′(σ′,0)

+1 2

1−Pr

v= 1

(P, L, F), σ′

← B′

1(1ℓ); v← B′₂(σ′,0)

= 1 2 .

Hence the success rate of the actual adversary is distinguishably larger than that of any benign simulator, which contradicts our assumption ofSS-ID-CCA. This concludes the proof. ⊓⊔

Theorem 9 NM-ATK entails IND-ATK, for both ATK = ID-CPA, ID-CCA.

Proof: The proof is presented for the caseATK=ID-CCA. ForATK=ID-CPAthe modification is easy by just dropping oracle accesses.

By contradiction. Assume we have a successful IND-ATK distinguisher (A1,A2). Then

using them we can construct a successfulNM-ATK adversary (C1,C2) as follows.

Algorithm CO1,O2

1 (pms)

(m(1)_{, m}(2)_,id

ch), σ

← AO1,O2

1 (pms);

P ←a circuit with one input bit such thatP(0) =m(1) _{and P(1) =m}(2)_;

return P,idch,(σ, m(1), m(2))

Algorithm CO1,O2

2 (σ, m(1), m(2)),idch, c

v ← AO1,O2

2 σ,(idch, c)

;

if v= 1 then d←E(pms,idch, m(1)) else d←E(pms,idch, m(2));

R ←Comp,whereComp(x, y)⇐⇒def. x=y ;

return (R, d)

The pair (C1,C2) thus defined does not make prohibited oracle queries (as an NM-ID-CCA

adversary) because (A1,A2) does not (as anIND-ID-CCAdistinguisher).

The trick is that we take as R a relation other than the equality: this ensures that the ciphertextdoutput byC2 is distinct from the challenge ciphertextcgiven toC2. It is

straight-forward to show that this pair (C1,C2) is indeed successful: details follow next.

As in the proof of Theorem 8 we can assume that, the successfulIND-ID-CCAdistinguisher (A1,A2) is such that: 1)A2 always outputs either 0 or 1; and 2) the functionp(1)ℓ −p

(2) ℓ overℓ

(rather than its absolute value) is not negligible; and 3)A1 always outputs distinct challenge

Experiment Exp(i)

(pms,mk)←S(1ℓ_{); (m}(1)_{, m}(2)_,id

ch), σ

← AXmk, Dmk

1 (pms); c←E(pms,idch, m(i)); v′ ← AX2 mk, Dmk(σ,(idch, c));

if v′_{= 1 then c}′ _←E(pms,id

ch, m(1)) else c′←E(pms,idch, m(2));

m′ ←D(mk,idch, c′);

Now for the NM-ID-CCA adversary (C1,C2) constructed using (A1,A2), its advantage is

calculated as follows.

1 2

X

i=1,2

Prhc6=c′∧ ⊥ 6=m′∧Comp(m(i), m′)

Exp

(i)i

−1

4

X

i,j=1,2

Prhc6=c′∧ ⊥ 6=m′∧Comp(m(j), m′)

Exp

(i)i

(∗)

= 1 4

X

i=1,2

PrhComp(m(i), m′)

Exp

(i)i₋1

4

X

(i,j)=(1,2),(2,1)

Prhc6=c′∧Comp(m(j), m′)

Exp

(i)i

(†) ≥ 1

4p

(1) ℓ +

1 4(1−p

(2) ℓ )−

1 4(1−p

(1) ℓ )−

1 4p

(2) ℓ =

1 2(p

(1) ℓ −p

(2) ℓ ) .

In the equality (∗) we use the facts thatm′ inExp(i)must be eitherm(1)orm(2) hence not⊥, and that if Comp(m(i)_{, m}′_{) then c ← E(pms,id}

ch, m(i)) and c′ ← E(pms,idch, m′) cannot be identical.3 For the inequality (†) we first drop the conditionc6=c′ in the second probability, and then use the equalities such as PrhComp(m(2), m′)|Exp(2)i=Prhv′ 6= 1|Exp(2)i= 1− p(2)_ℓ . By the success of (A1,A2) this function is not negligible, which contradicts that the

scheme is NM-ID-CCA. ⊓⊔

Theorem 10 IND-ID-CCA implies NM-ID-CCA.

Proof: Assume the existence of a successful NM-ID-CCA adversary (C1,C2). Using it we

construct a successful IND-ID-CCA distinguisher (A1,A2) as follows. The point is, since A2

has an access to decryption oracle, it can decrypt the ciphertexts output by C2 which are

related to the challenge ciphertext.

Algorithm AO1,O2

1 (pms)

(P,idch, σ)← CO1₁ ,O2(pms);

m(1) ←P(Upoly(ℓ)); m(2)←P(Upoly(ℓ));

return (m(1), m(2),idch),(m(1), m(2), σ) Algorithm AO1,O2

2 (m(1), m(2), σ),(idch, c)

(R,−→c)← CO1,O2

2 σ,idch, c

; −→m ←O2(idch,−→c);

if ⊥ 6∈ −→m∧R(m(1)_,−→_m)

then v←1 else v←0;

return v

3 _{Note that Comp(m}(j)_{, m}′

) does not ensure c 6= c′ when j 6= i. Here c ← E(pms,idch, m(i)), c′ ←

We can assume that in every execution (R,−→c) ← CO1,O2

2 (σ,idch, c) we have c 6∈ −→c.4 This yields that (A1,A2) thus defined does not make prohibited oracle queries. The advantage of

(A1,A2) (before taking the absolute value), p(1)_ℓ −p(2)_ℓ , is identical to that of (C1,C2), hence

must be non-negligible. This is a contradiction. ⊓⊔

Theorem 11 IND-ID-CPA does not imply NM-ID-CPA.

Proof: Assume that there exists an IBE scheme (S, X, E, D) which isIND-ID-CPA(otherwise the claim is trivially true). We construct another IBE scheme (S, X, E′_{, D}′_{) which is} IND-ID-CPA but notNM-ID-CPA, whose existence proves the theorem.

Algorithm E′_{(pms,id, m)}

c1 ←E(pms,id, m); c2←E(pms,id, m);

return (c1, c2)

Algorithm D′ _mk,id,(c

1, c2) m←D(mk,id, c1);

return m;

The algorithms E′, D′ thus defined obviously satisfy the condition that a ciphertext, when decrypted, yields the original plaintext.

The scheme (S, X, E′, D′) is not NM-ID-CPAdue to the following successful adversary: a simple calculation shows that the advantage of this adversary (C1,C2) is 1−1/2ℓ, where 1/2ℓ

is the probability a random (fake) plaintext m0 is accidentally equal to the real plaintextm.

Algorithm CO1,O2

1 (pms)

P ←the identity circuit with ℓinput bits; idch←Uℓ; σ ←the empty string;

return (P,idch, σ)

Algorithm CO1,O2

2 σ,idch,(c1, c2)

return Comp,(c2, c1)

It remains to show that the new scheme (S, X, E′_{, D}′_{) isIND-ID-CPA. We argue by} contra-diction: if we have a successfulIND-ID-CPAdistinguisher (A1,A2) for this new scheme, then

from that we can construct a successful distinguisher for the original scheme (S, X, E, D). For the notational convenience, let us denote by q_ℓ(i,j) the following probability, for each i= 1,2 andj = 1,2.

q(i,j)_ℓ =Pr





v= 1

(pms,mk)←S(1ℓ_{); (m}(1)_{, m}(2)_{,idch), σ}

← AXmk

1 (pms); c1 ←E(pms,idch, m(i)); c2←E(pms,idch, m(j));

v← AXmk

2 σ,(idch,(c1, c2));





 .

Then the advantage of the distinguisher (A1,A2) is now denoted by

q_ℓ(1,1)−q(2,2)_ℓ = q(1,1)_ℓ −q(1,2)_ℓ

+ q_ℓ(1,2)−q_ℓ(2,2)

.

Since this probability is non-negligible, either q(1,1)_ℓ −q_ℓ(1,2) or q_ℓ(1,2) −q(2,2)_ℓ must be non-negligible. We shall show that in either case we can construct a successful IND-ID-CPA dis-tinguisher (A′₁,A′₂) for (S, X, E, D) using (A1,A2), which contradicts our assumption.

4 _{We can modify C}

2 such as, if c ∈ −→c then the output is (Empty, c), whereEmpty is the empty relation.

If the former probability is non-negligible, define (A′₁,A′₂) as follows. It is straight forward to see that its advantage is equal toq_ℓ(1,1)−q_ℓ(1,2) hence non-negligible.

Algorithm A′O1

1 (pms)

(m(1)_{, m}(2)_,id

ch), σ

← AO1

1 (pms);

return (m(1), m(2),idch),(m(1), m(2), σ)

Algorithm A′O1

2 (m(1), m(2), σ),(idch, c)

c1 ←E(pms,idch, m(1)); c2←c;

v← AO1

2 σ,(idch,(c1, c2));

return v

If the latter probability q_ℓ(1,2)−q(2,2)_ℓ is non-negligible, (A′

1,A′2) is defined as follows. Its

advantage is equal to q(1,2)_ℓ −q_ℓ(2,2) hence non-negligible.

Algorithm A′O1

1 (pms)

(m(1)_{, m}(2)_,id

ch), σ

← AO1

1 (pms);

return (m(1)_{, m}(2)_,id

ch),(m(1), m(2), σ)

Algorithm A′O1

2 (m(1), m(2), σ),(idch, c)

c1 ←c; c2 ←E(pms,idch, m(2)_); v← AO1

2 σ,(idch,(c1, c2));

return v

This concludes the proof. ⊓⊔

The proof for the next theorem is substantially more complex than the analogous result for public-key schemes [BDPR98, Theorem 3.6]. This is due to an important difference between IBE and PKE attack models, namely the existence of extraction oracles.

Theorem 12 NM-ID-CPA does not implyIND-ID-CCA.

Proof: Assume we have an IBE scheme (S, X, E, D) which is NM-ID-CPA. Using this we construct a new scheme (S′, X′, E′, D′) which isNM-ID-CPAbut notIND-ID-CCA.

We can assume that, for each ℓ ∈ Z+_{, we have a family of pseudo-random functions} Fℓ =

FK |K ∈ {0,1}ℓ , where FK :{0,1}poly(ℓ) _{→ {0,1}}poly(ℓ)_{. Notice this does not imply}

an extra assumption, since the existence of a NM-ID-CPAsecure IBE implies a IND-ID-CPA secure IBE by Theorem 9. This implies secure public key signature schemes [BF03], and this in turn implies one-way functions. Finally the existence of a family of pseudo-random functions is obtained by applying classical results such as [GGM86].

The idea of the construction is as follows. The new decryption algorithm, when queried on the value FK(id), reveals the decryption key for id. The value FK(id), which is unique

to each id and kept secret, can only be known by making a decryption query on a publicly known valuee. We have these two steps (etoFK(id) to the decryption key), instead of only one step (e to the decryption key), so that the scheme is easily shown to be NM-ID-CPA. This procedure of obtaining the decryption key can be done only by anID-CCAadversary: an ID-CPAadversary can try extraction queries, but it is prohibited to make it on the challenge identity hence the valuesFK(id) it obtains are irrelevent to the desiredFK(idch).

Algorithm S′(1ℓ)

(pms,mk)←S(1ℓ_{); e←Uℓ; K←Uℓ;}

return (pms, e),(mk, e, K)

Algorithm X′ pms,(mk, e, K),id

d←X(mk,id);

return d, e, FK(id)

Algorithm E′ _{(pms, e),id, m}

c←E(pms,id, m);

return (0, c)

Algorithm D′ pms,(d, e, g),(i, c) if i= 0 then m←D(d, c)

else if c=e then m←g

else if c=g then m←d

else m← ⊥;

Note that in the actual use the valueginD′ above will beFK(id). The scheme (S′, X′, E′, D′)

is notIND-ID-CCAdue to the existence of the following successful distinguisher (A1,A2). The

oraclesO₁′, O′₂ will beX₍′_mk,e,K), D′_(mk,e,K), respectively, where the decryption oracleD′_(mk,e,K)

is defined byD′_(mk,e,K)(id, c) =D′ pms, X′((mk, e, K),id), c

.

Algorithm AO

′

1,O′2

1 (pms, e)

m(1) ←(the uniform distribution over the message set specified inpms); idch ←Uℓ;

return (m(1), m(1)_,id

ch),(m(1), e)

Algorithm AO

′

1,O

′

2

2 (m(1), e),(idch,(0, c))

a←O₂′ idch,(1, e)

; b←O′₂ idch,(1, a)

; m←D(b, c);

if m=m(1) then v←1 else v←0;

return v

In the description of A2, the value a will be FK(idch) and b will be X(mk,id) in an actual attack. D is the decryption algorithm of the original IBE scheme. Obviously the advantage of this distinguisher (A1,A2) is 1, which is non-negligible.

It remains to show that the new scheme (S′_{, X}′_{, E}′_{, D}′_{) isNM-ID-CPA. We argue by} con-tradiction. Let (C1,C2) be a successfulNM-ID-CPAadversary for (S′, X′, E′, D′). We construct

an NM-ID-CPA adversary (C₁′,C₂′) for (S, X, E, D) as follows, and the adversary (C₁′,C₂′) will be shown to be successful.

Algorithm C′O1

1 pms

e←Uℓ; K ←Uℓ;

(P,idch, σ)← CO

′e,K 1

1 (pms, e)

;

return P,idch,(σ,pms, e, K)

Algorithm C′O₂1 (σ,pms, e, K),idch, c

(R,−→c)← CO

′e,K 1

2 σ,idch,(0, c)

;

for 1≤i≤ |−→c| do

if −→c[i] = (0, c′) then −→d[i]←c′

else if −→c[i] = (1, e) then −→d[i]←O2 idch, FK(idch)

else −→d[i]←c;

return (R,−→d)

Here, O′e,K₁ (meant to be X₍′_mk,e,K)) is emulated usingO1 (meant to be Xmk) as O′e,K1 (id) = O1(id), e, FK(id)

.

We shall show that the NM-ID-CPA adversary (C′

1,C2′) for (S, X, E, D) defined above is

expanding the definition we obtain the following description.

Experiment Exp₁

(pms,mk)←S(1ℓ_{); e←Uℓ; K←Uℓ;}

(P,idch, σ)← CX

′

(mk,e,K)

1 (pms, e)

;

m, m0 ←P(Upoly(ℓ)); c←E(pms,idch, m);

(R,−→c)← CX

′

(mk,e,K)

2 σ,idch,(0, c)

;

− →

d ←(constructed from −→c as in C₂′);

−

→_{m ←D(mk,id}

ch,

− →

d);

Experiment Exp₂

(pms,mk)←S(1ℓ_{); e←Uℓ; K←Uℓ;}

(P,idch, σ)← CX

′

(mk,e,K)

1 (pms, e)

;

m, m0 ←P(Upoly(ℓ)); c←E(pms,idch, m);

(R,−→c)← CX

′

(mk,e,K)

2 σ,idch,(0, c)

;

−

→_{m ←D}′ _{(mk, e, K),idch,}−→_c

;

In the sequel we denote a probability function evaluated under Exp₁ by Pr1[·], and one

eval-uated underExp₂ byPr2[·].

We make case-distinction: underExp₁orExp₂, exactly one of the following eventsE1, E2, E3

happens.

E1 def.= (−→c contains only (0,∗) or (1, e)) ,

E2 def.= (−→c contains only (0,∗) or (1, e) or (1, FK(idch)), but not E1) ,

E3 def.= (neitherE1 norE2) .

It is easy to seePr1[Ej] =Pr2[Ej] for each j= 1,2,3.

For notational convenience we define the following probabilities, forj= 1,2,3.

p(1, j) =Pr1

h

c6∈−→d ∧ ⊥ 6∈ −→m∧R(m,−→m)|Eji−Pr1

h

c6∈−→d ∧ ⊥ 6∈ −→m∧R(m0,−→m)|Eji ,

p(2, j) =Pr2[(0, c)6∈ −→c ∧ ⊥ 6∈ −→m∧R(m,−→m)|Ej]−Pr2[(0, c)6∈ −→c ∧ ⊥ 6∈ −→m∧R(m0,−→m)|Ej] .

The probability p(1, j) is the (conditional) advantage of (C′

1,C2′) under the event Ej, and p(2, j) is that of (C1,C2). Hence, by the case-distinction, the advantage of (C1′,C2′) is equal to

P3

j=1p(1, j)·Pr1[Ej], and that of (C1,C2) is P3j=1p(2, j)·Pr2[Ej].

First we consider the case E1 happens. In that case, the sequence of plaintexts −→m

ob-tained from −→c via −→d in Exp₁ is directly obtained by −→m ← D′ _{(mk, e, K),id} ch,−→c

. Hence the gap between p(1,1) and p(2,1) comes only from the conditions c 6∈ −→d in p(1,1) and (0, c) 6∈ −→c in p(2,1). More precisely, only the case that, −→c contains (1, e) and moreover

c=E pms,idch, FK(idch)

, contributes to the gap. In this case the plaintextmmust be iden-tical to FK(idch): this happens with only a negligible probability since the value FK(idch) remains secret to the adversary. Therefore we conclude that |p(1,1)−p(2,1)|is negligible.

Next we consider the caseE2happens. In this case−→c must contain 1, FK(idch)

FK(idch) hence this happens with only a negligible probability. To summarize, the probability Pr1[E2] =Pr2[E2] are both negligible.

Finally, we show that p(1,3) = p(2,3) = 0. The probability p(1,3) is 0 because, by the definition of C′

2 (especially the construction of − →

d from −→c), −→d contains c when E3 happens.

The probability p(2,3) is 0 because, whenE3 happens,−→c contains illegitimate ciphertext so

⊥ ∈ −→m.

Combining the previous three paragraphs and that Pr1[Ej] = Pr2[Ej], we have shown

that the advantage P3

j=1p(1, j)·Pr1[Ej] of (C1′,C2′) and

P3

j=1p(2, j)·Pr2[Ej] of (C1,C2) have

only a negligible gap. By assumption the latter is non-negligible the former must also be

non-negligible. This concludes the proof. ⊓⊔

6 Semantical security of IBE schemes under multiple-challenge CCA

In this section we present three notions of semantic security under multiple-challenge CCA, following the public-key version [GLN02]. Here an adversary is allowed to make polynomially many challenge templates. Moreover each template is answered with a challenge ciphertext immediately (not after making all the templates), and the next challenge template can be generated according to the preceding templates and their answers. After this stage of asking many challenge templates adaptively and in a related manner, the adversary tries to guess information about the unrevealed plaintexts which have been used in answering challenge templates.

We shall introduce three different types of multiple-challenge chosen ciphertext attacks:

– In themultiple-identityversion (mID-CCA), the challenger chooses one fixed plaintext, and the adversary can adaptively query its encryption under different identities polynomially many times.

– In themultiple-plaintext version (ID-mCCA), the adversary chooses one fixed identity, and can adaptively query encryption of different plaintexts under that identity polynomially many times.

– In themultiple-identity-plaintextversion (mID-mCCA), the adversary can adaptively query encryption of different plaintexts under different identities polynomially many times.

Obviously the first two are special cases of the last one. For each attack model we introduce the notion of semantic security, namely SS-mID-CCA, SS-ID-mCCA, and SS-mID-mCCA. We show that these three notions are all equivalent to semantic security under single-challenge CCA, and hence also to the technical notion of indistinguishability.

In the definition of SS-ID-CCA an adversary consists of two oracle PPT’s B1 and B2, in

such a way that B1 outputs a challenge template, the challenger chooses a plaintext and

presents its encryption, and then B2 tries to guess information about the plaintext. In the

multiple-challenge case this interaction is modelled by providing the adversary with a “tester” algorithm Tr,pms or Tr as its oracle. Tr,pms is given to an actual adversary (which obtains a ciphertext in addition to information leak), while Tr is given to its benign simulator (which only sees information leak). A challenge template is then sent to one of these oracles as a query (called “challenge query”).

Algorithm Tr,pms(P,idch, L)

return E(pms,idch, P(r)), L(r)

Algorithm Tr(P, L)

Intuitively the parameter r of a tester is understood as the multiple-challenge version of the coin tosses that the challenger uses to select plaintexts. It is a sufficiently long sequence of coin tosses (r1, r2, . . . , rt_{) which is unrevealed to the adversary. Given the i-th challenge}

template (Pi_,idi

ch, Li) (or (Pi, Li) from a simulator), the challenger chooses a plaintext by

Pi_(r1_{, r}2_{, . . . , r}i_{) using the firsticoin tosses inr. Note that now Lleaks information on coin}

tossesr rather than plaintexts Pi_(r1_{, r}2_{, . . . , r}i_).5

For multiple-challenge CCA adversaries, it is quite natural to put the same restrictions on the adversary’s oracle invocations as in the single-challenge version, namely:

– Extraction queries on challenge identities cannot be made;

– Decryption queries on challenge ciphertexts (obtained as answers to challenge queries) cannot be made.

However, as is shown in [GLN02], the second restriction is not necessary under multiple-plaintext CCA: such a decryption query by an actual adversary can be simulated by a benign simulator (which has only access to a tester oracle Tr) by making a challenge query on a extremely informative information leak L, namely L = P. For the sake of simplicity, we ignore this point of lifting restriction on decryption queries for the time being: this point is explained in detail in Appendix A.1. It seems that the first restriction on extraction queries is still necessary.

Definition 13 (Semantic security under multiple-challenge CCA) An IBE scheme (S, X, E, D)is said to be semantically secure under multiple-identity multiple-plaintext chosen ciphertext attacks(SS-mID-mCCA) if the following holds. For every oracle PPT algorithmD

(“SS-mID-mCCAadversary”) with the following restriction on oracle queries: in any execution of DO1,O2,O3_{(pms), for each challenge query (c, b) ← O}

3(P,idch, L) by D, D is prohibited to make

– the extraction query O1(idch) regardless of before or after the challenge query, or – the decryption queryO2(idch, c) after the challenge query

there exists a PPT algorithmD′ (“benign simulator ofD”) which is equally successful as D, in the following sense.

1. The difference between the advantage of the actual adversary D and that of the benign simulator D′, namely

Pr

"

v =F(r)

(pms,mk)←S(1ℓ); r ←Upoly(ℓ);

(F, v)← DXmk, Dmk, Tr,pms_(pms)

#

−Pr

"

v=F(r)

r←Upoly(ℓ);

(F, v)← D′Tr₍₁ℓ₎

#

is negligible as a function overℓ. 2. The two ensemples over ℓ∈Z+_:

"

(t, F)

(pms,mk)←S(1ℓ_{); r←U}

poly(ℓ);

(F, v)← DXmk, Dmk, Tr,pms_{(pms) with trace t}

#

and

"

(t, F)

r←Upoly(ℓ);

(F, v)← D′Tr₍₁ℓ_{) with tracet}

#

5 _{As is shown in the later definition, the same goes to the information to guess: it is about the coin tossesr}

are computationally indistinguishable (i.e. indistinguishable by any PPT algorithm). Here the trace of an execution of the actual adversary D is the sequence of (P, L)-part of the challenge queries(P,idch, L) made by D. The trace of an execution of the simulator D′ is simply the sequence of challenge queries D′ makes.

Semantic security under multiple-identity chosen ciphertext attacks (SS-mID-CCA) is de-fined analogously except that an adversary D is restricted to have the same plaintext circuit

P and the same information leakage circuit L in all the challenge queries in the trace of an execution of D (the challenge identityidch can vary).6

Semantic security under multiple-identity chosen ciphertext attacks (SS-ID-mCCA)is anal-ogous toSS-mID-mCCA_{except that an adversaryDmust have the same challenge identityidch} in all the challenge queries in the trace of an execution of D (P and L can vary).

Remark 2. Note that our mID-CCA attack is stronger than the attack consider in [BSS05], since in the latter case the adversary has to commit at once to the identities on which it wants to be challenged, while in the present case the i-th identity can be chosen depending on the challenges received so far.

Fig. 1.Implications between security notions (hence all equivalent)

SS-mID-CCA SS-mID-mCCA

IND-ID-CCA SS-ID-CCA SS-ID-mCCA

Theorem 14 The five security notions in Figure 1 for identity-based encryption schemes under a-posteriori chosen ciphertext attacks are all equivalent.

It is obvious thatSS-mID-mCCAentailsSS-mID-CCAandSS-ID-mCCA. We shall show the remaining implications in the following lemmas.

Lemma 15 SS-mID-CCA _entails SS-ID-CCA_{. Also,} SS-ID-mCCA _entails SS-ID-CCA_.

Proof: The proof (by contradiction) is much like that for Theorem 8. Assume that the IBE scheme is not SS-ID-CCA. By Theorem 7 we have a successful IND-ID-CCAdistinguisher (A1,A2), with which we construct a multiple-challenge adversaryD. It is shown thatDalways

has a trace of length 1 (hence qualifies as both SS-mID-CCA and SS-ID-mCCA adversaries), and that Dis distinguishably more successful than any benign simulator.

6 _{Note that, sinceP is deterministic, the plaintextP(r) which is encrypted by the tester oracleT}

r,pms stays

Assume that theIND-ID-CCAdistinguisher (A1,A2) is successful. Using this we construct

the following multiple-challenge CCA adversary.

Algorithm DO1,O2,O3_(pms) (m(1)_{, m}(2)_,id

ch), σ

← AO1,O2

1 (pms);

P, L, F ←(the same as in the proof of Theorem 8); (c, b)←O3(P,idch, L◦P); v← AO21,O2(σ,(idch, c));

return (F ◦P, v)

Here L ◦ P denotes the sequential composition of circuits in the order of P after L. This

D indeed qualifies both as an SS-mID-CCA adversary and as an SS-ID-mCCA adversary, due to the following reason. If it makes both an extraction query O1(idch) and challenge query

O3(∗,idch,∗) for some idch (which is prohibited), then the former is invoked by either A1 or A2, while the latter is invoked on the fourth line of the description henceidch is in the output

ofA1. This violates the condition of anIND-ID-CCAdistinguisher. Similarly we can show that D does not make a decryption query O2(idch, c) on a challenge ciphertext after a challenge query (c, b) ← O3(∗,idch,∗). Moreover, D makes a challenge query only once, which ensures the condition thatP and L (oridch) must stay the same in all the challenge queries.

We can assume the following additional properties of (A1,A2) as in Theorem 8:

– A2 always outputs either 0 or 1;

– p(1)_ℓ −p(2)_ℓ ≥1/q(ℓ) (instead of its absolute value) holds for some polynomialqand infinitely manyℓ’s;

– A1 always outputs distinct challenge plaintexts (i.e.m(1) 6=m(2)).

For the multiple-challenge adversaryDdefined above and givenℓ, its advantage is calcu-lated as follows.

Pr



v=F(r)

(pms,mk)←S(1ℓ_); r←Upoly(ℓ);

(F, v)← DXmk, Dmk, Tr,pms_(pms)



=

1 2 +

1 2(p

(1) ℓ −p

(2) ℓ ) ,

where the probabilities p(i)_ℓ are as in the definition of IND-ID-CCA. By the assumption that (A1,A2) is successful, the advantage of Dis distinguishably larger than 1/2.

LetD′ be an arbitrary benign simulator ofD. Its advantage is evaluated as follows.

Pr

"

v=F′(r)

r←U1;

(F′_{, v)← D}′Tr₍₁ℓ₎

#

(†)

= 1 2Pr

h

v= 1

(F

′_{, v)← D}′T0₍₁ℓ₎i₊ 1

2Pr

h

v= 0

(F

′_{, v)← D}′T1₍₁ℓ₎i

(‡)

= 1 2Pr

h

v= 1 (F

′_{, v)← D}′T0₍₁ℓ₎i₊ 1

2Pr

h

v= 0 (F

′_{, v)← D}′T0₍₁ℓ₎i_≤ 1

2 . Here (†) holds because theF′-part of the output ofD′ is by definition identically distributed as that ofD, hence F′_{(0) =F(P(0)) = 1 and F}′_{(1) =F(P(1)) = 0. The equation (‡) holds} because Tr(P, L) = L(r) and the traces of D and D′ are identically distributed: the only challenge query D′ makes is on the leakage circuit L in the definition of D, which outputs the constant value, hence the tester oraclesT0 and T1 gives the same answer. This inequality

yields that any simulatorD′ can never be as successful as the actual adversary D, which is a

Lemma 16 SS-ID-CCA _entails SS-mID-mCCA_.

Proof: The proof follows the idea of [GLN02]. Assume that an IBE scheme (S, X, E, D) is SS-ID-CCA, hence hasIND-ID-CCA. For a givenSS-mID-mCCAadversaryD, we construct its benign simulator D′ which invokesD emulating the tester oracle by giving encryption of the fake plaintext 1n_{. Just as in the proof of Theorem 7 we use the indistinguishability between}

the encryption of this fake plaintext and the actual challenge ciphertext.

The main technical challenge is that here the tester oracle is invoked polynomially many times. To overcome we use a hybrid argument. Let Πi

r,pms be the history-dependent tester oracle which answers using the actual plaintext for the first ichallenge queries but answers using the fake plaintext for the rest. If the difference between using Πi

r,pmsas a tester oracle and usingΠ_r,i+1_pms instead is negligible (which is shown using indistinguishability), then so is the difference between using Π_r,0_pms (i.e. the emulated oracle given to the simulator D′) and using Πr,polypms(ℓ) (i.e. the oracle given to the actual adversary D). That is the main idea of the proof, and the details are found next.

Given anSS-mID-mCCAadversaryD, we shall construct its benign simulator D′_{. First we} define a “fake tester”Tr,′pms by

Tr,′pms(P,idch, L) = E(pms,idch,1|P(r)|), Tr(P, L)

= E(pms,idch,1|P(r)|), L(r)

.

It is emulated (using the oracleTr) and plugged inDin the following definition of the simulator D′.

Algorithm D′Tr₍₁ℓ₎

(pms,mk)←S(1ℓ_{); (F, v)← D}Xmk, Dmk, Tr,′pms_(pms);

return (F, v)

We shall show that this simulatorD′_{has the same trace and is as successful asD. To that} end, let two experiments Exp,Exp′ be as follows:

Experiment Exp

(pms,mk)←S(1ℓ_{); r ←U}

poly(ℓ);

(F, v)← DXmk, Dmk, Tr,pms_{(pms) with tracet;}

Experiment Exp′

Same as Exp, except that we haveT_r,′_pms in place ofTr,pms

And then consider the following random variables.

Vℓ=

(t, F, v, r)

Exp

Wℓ=

(t, F, v, r) Exp′

The following equality follows from the definition ofD′:

Wℓ=

(t, F, v, r)

r←Upoly(ℓ);

(F, v)← D′Tr₍₁ℓ_{) with tracet}

.

Hence to prove the lemma it suffices to show that the ensembles{Vℓ}ℓ∈Z+ and {Wℓ}_ℓ∈Z+ are computationally indistinguishable.7

7 _{For example, to show that the simulatorD}′

is as successful asD, consider the algorithmT(t, F, v, r) which outputs 1 only when v = F(r). If D is distinguishably more successful than D′

then this algorithm T distinguishesVℓfromWℓ, which is a contradiction. The fact that (t, F) is indistinguishably distributed for

DandD′

To prove the indistinguishablity of {Vℓ}ℓ∈Z+ and {W_ℓ}_ℓ∈Z+, we use an hybrid argument as is already outlined. Let Πi

r,pms be a history-dependent i-th hybrid oracle (i ∈ N) which behaves asTr,pmsfor the firstiqueries, i.e.Πr,ipms(P,idch, L) = E(pms,idch, P(r)), L(r)

, and then behaves as Tr,′pmsfor the rest, i.e. Πr,ipms(P,idch, L) = E(pms,idch,1|P(r)|), L(r)

. Let us denote the followingi-th hybrid experiment (ofExpand Exp′) by Exp(i), fori∈N_.

Experiment Exp(i)

Same as Exp, except that we haveΠi

r,pms in place ofTr,pms

Define Y_ℓ(i) def.= [(t, F, v, r) | Exp(i)]. This is the i-th hybrid of Vℓ and Wℓ. In particular Y_ℓ(0) = Wℓ and Vℓ = Y_l(poly(ℓ)) (since D queries its tester oracle only polynomially many times). Hence it suffices to show: for i∈N_{, two ensembles {Y}(i)

ℓ }ℓ∈Z+ and {Y_ℓ(i+1)}_ℓ∈Z+ are computationally indistinguishable.

We argue by contradiction. Assume that a PPT algorithmT distinguishes the two ensem-bles. We construct a successfulIND-ID-CCAdistinguisher (A1,A2) usingT, whose existence is

a contradiction. In the following the polynomialtD maps a natural number nto the maximal number of steps in the execution ofDwith input of lengthn. Internal coin tosses thatDmakes with input of length nare hence described as an element of {0,1}tD(n)_{. We denote by D}

s the

algorithm D which executes according to specific coin tossess(hence Ds is deterministic).

Algorithm AO1,O2

1 (pms)

r ←U_poly(ℓ); s←U_tD(|pms|);

Execute DOs 1, O2, Tr,pms(pms) until it makes the (i+ 1)-th query

to the oracleTr,pms, and stop before its answer is obtained;

h←(all the oracle queries and their answers obtained in the course of the execution);

if (the (i+ 1)-th query to Tr,pms is indeed made)

(P,idch, L)←(the (i+ 1)-th query to Tr,pms);

return (P(r),1|P(r)|_,id

ch),(r, s, h,pms)

else

return (0,0,0),(r, s, h,pms)

Algorithm AO1,O2

2 (r, s, h,pms),(idch, c)

ExecuteDOs 1, O2, Tr,pms(pms) until it makes the (i+ 1)-th query

toTr,pms, using the coin tossessand emulating the oracles by the record h (hence this execution of Dis exactly the same as that in A1);

For (i+ 1)-th query (P,idch, L) to Tr,pms by D, feedDwith the answer (c, L(r)); Continue execution of Dusing the oracles O1, O2, Tr,′pms

(note that the tester oracle is now replaced by the fake one); (F, v)←(the output of the above execution ofD);

t←(the trace of the above execution of D);

d← T(t, F, v, r); return d

In the above we explicitly specify the coin tosses sand the record of oracle invocations h so that inA2 we can get exactly the same execution of Das in A1. We need the recordh since